Daily Threat Briefing: Australia – 26 November 2025

Executive Summary

The last 24 hours have seen a significant escalation in the Australian cyber threat landscape, characterised by a convergence of AI-driven offensive operations and high-impact data breaches. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and private sector intelligence indicate a sharp rise in automated attacks targeting the Healthcare, FinTech, and Government sectors.

Of particular concern is the emergence of AI agents capable of automating complex attack chains, reducing the time from vulnerability discovery to exploitation to near zero.

Top Story: The Rise of AI-Driven Offensive Campaigns

Threat Actor Activity: A sophisticated campaign, tracked as GTG-1002, has been identified targeting Australian finance and government sectors. Unlike traditional attacks, this campaign utilises an AI agent to automate reconnaissance, exploit writing, and lateral movement.

  • Impact: The window for patching has effectively closed for some zero-day vulnerabilities.
  • Sector Risk: High for Government and Critical Infrastructure.

Sector-Specific Updates

1. Healthcare

The healthcare sector remains the primary target for ransomware and data extortion.

  • Incident: Point Lonsdale Medical Group in Victoria has disclosed a cyber attack resulting in unauthorised access to personal information. This follows closely on the heels of the Genea breach, where the Termite ransomware group (an offshoot of Babuk) claimed responsibility for exfiltrating 700GB of patient data.
  • Threat: Attackers are aggressively targeting patient management systems and third-party integrations.

2. Aviation & eCommerce

  • Major Incident: Qantas Airways is reportedly investigating a significant data compromise affecting customer personal data. Threat intelligence suggests potential involvement from the Scattered Spider group, known for sophisticated social engineering and targeting large helpdesks.
  • Implication: Organisations with large customer databases must urgently review their identity verification processes for customer support channels.

3. FinTech & SaaS

  • Vulnerability: A critical flaw in WhatsApp’s Contact Discovery API has been exposed, potentially allowing the enumeration of active accounts. While Meta has implemented fixes, this highlights a broader risk for FinTech apps relying on similar contact syncing features.
  • Trend: API Security is a critical failure point. Financial services are currently facing a wave of API-layer DDoS attacks and credential stuffing, exploiting endpoints that lack adaptive multi-factor authentication (MFA).
  • SaaS Alert: A "Loan Management System" source code leak has been detected, compromising API keys and database credentials. SaaS providers are urged to rotate secrets immediately.

4. Education & EdTech

  • Ongoing Threat: Following the Western Sydney University breach, threat actors are leveraging stolen credentials to target other educational institutions. Phishing campaigns impersonating university IT support are currently active.

5. IoT & Critical Infrastructure

  • Advisory: A new report from Semperis highlights that 52% of ransomware attacks in Australia now occur on weekends or holidays, exploiting reduced staffing in Security Operations Centres (SOCs).
  • Vulnerability: Unpatched IoT devices in critical infrastructure are being targeted by state-sponsored actors to maintain persistence.

Critical Vulnerabilities & Exploits (Last 24 Hours)

  • Microsoft WSUS (CVE-2025-59287): A critical vulnerability allowing privilege escalation. The ACSC has issued a high-priority alert for immediate patching.
  • Citrix NetScaler (CVE-2025-5777): "Citrix Bleed 2" is being actively exploited in the wild to bypass authentication.
  • Cisco ISE (CVE-2025-20337): Exploited as a zero-day to deploy custom malware.
  • Samsung (CVE-2025-21042): A zero-day in image processing libraries is being used in targeted spyware campaigns via instant messaging apps.

Recommendations

  1. Patch Immediately: Prioritise Microsoft WSUS and Citrix NetScaler updates.
  2. API Hardening: Review all external API endpoints for rate limiting and broken object level authorisation (BOLA).
  3. Enhance Monitoring: Increase SOC vigilance during the upcoming weekend to counter "holiday-timed" ransomware attacks.
  4. AI Defence: Begin evaluating AI-enabled defensive tools to counter the speed of automated AI attacks.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote